by John Burchfield
All of the services we offer at DSi fall under the “litigation support” umbrella. Put simply, we provide all aspects of electronic discovery and digital forensics services. Sometimes those two categories intertwine. For example, metadata is important to both eDiscovery and digital forensics.
I’ve written about metadata in the past with regards to our free USB Write Blocker app, which allows you to open a document without altering the metadata. Recently, our digital forensics team uncovered metadata to help our client win an important case.
By definition, metadata is data about data. For computer files, it includes information that is viewable to most people, such as file name, file type, date last opened, date last edited and more. There are also metadata fields that are hidden to typical users, including who created or changed the document, when, on what computer, at what company, what was changed and more. Those details are embedded into the file when it is created or revised.
Metadata can be valuable in litigation, and it goes beyond standard electronic discovery data collection. When applicable, we always use write blocking hardware and software – i.e. hardware write blockers, read-only containers, DSi’s USB Write Blocker, Linux disk mount options and more – to ensure that original data stays untouched, but to collect and analyze it, you need a digital forensics specialist.
In a recent case, one company acquired another company, creating Company A. After the acquisition, some employees started a competitor company, Company B. Company A sued Company B for taking trade secrets and proprietary documents to their new company and using it against Company A.
A specialist from our digital forensic evidence team traveled across the country to collect data from four defendants’ corporate and personal devices, including phones, laptops and desktop computers. Using metadata, DSi could see the points of origin for each file, as well as when, where and by whom documents were created and when and by whom they were last saved. For example, DSi proved that one document that originated from Company A’s server was emailed as an attachment between defendants, and the end result was a rebranded version of a proprietary document from Company A. Our forensic analyst also testified for this case, laying out authors, revisions, who made those changes and when, and the original author.
It is possible to change some metadata, such as the title, subject and authors, but metadata like the date created and computer used to create it cannot be changed. Not every case will have metadata that uncovers several smoking guns, like the case outlined above, but having a digital forensics specialist is important to the overall eDiscovery process.
Metadata is being used more and more often in trial. For example, in 2010, the Washington Supreme Court ruled that metadata is subject to disclosure under the Public Records Act. This year, the city of Shoreline, Wash., failed to provide the metadata of an email that indicated the sender in response to a public records request, and was sued for violating the Public Records Act. The city was ordered to reimburse the plaintiff $438,555 in litigation costs.
Metadata is important, and it can be used in combination with eDiscovery in litigation for better results. As Craig Ball wrote in an article for Law.com:
“In the digital era, metadata are as important as dates, page numbers, and circulation lists were in the paper era.”